What is claimed is: 

1. A method for offering security level comprising 
the steps of : 

(a) specifying, based on configuration information on 
a specific equipment, a vulnerability of said equipment, 
and associating information of the vulnerability with said 
equipment, said information of the vulnerability including 
a threat level value of the vulnerability; 

(b) computing a security level value of the 
vulnerability of the specific equipment based on the type 
of this equipment, the threat level value of the 
vulnerability for which no modification has been taken 
regarding this equipment, and the number of days while the 
vulnerability has been left without any modification taken 
for the vulnerability; and 

(c) outputting security level information based on 
the security level value obtained in said step (b) . 

2. The method according to Claim 1, further 
comprising the steps of 

(d) computing a security level value of said 
equipment by comparing the security level values of 
vulnerabilities when there are a plurality of 
vulnerabilities associated with said equipment, which have 
not been modified, and setting a security level value with 
the highest threat level value among the security level 



values of said vulnerabilities as the security level value 
of said equipment, and wherein 

said step (c) outputs the security level information 
based on the security value of said equipment obtained in 
step (d) . 

3 . The method according to Claim 2 further 
comprising the steps of 

(e) computing the security level value of a network 
when a plurality of equipments are connected to the 
network, by comparing security level values of the 
equipments, and setting a security level value with the 
highest threat level value among the security level values 
of said equipments as the security level value of said 
network, and wherein 

said step (c) outputs security level information 
based on the security value of said network. 

4. The method according to Claim 1, wherein said 
step (c) outputs security information based on both 
security level value obtained in the step (b) and basic 
security information computed based on a basic 
configuration, etc. of the equipment or the network. 

5. The method according to Claim 1, wherein said 
step (c) comprises a step of expressing said security 
level value in comparison with a security level reference 
value of a relevant system or the network to which said 
system is connected. 



6. A system for computing a security level of a 
computer system, said system comprising: 

a configuration information storing unit for storing 
configuration information on the computer system to be 
monitored; 

a vulnerability information storing unit for storing 
various types of updated vulnerability information 
including at least a threat level value of the 
vulnerability; 

a vulnerability information offering unit to extract 
vulnerability information to be applied to said computer 
system from said vulnerability information storing unit 
based on said configuration information, and to associate 
the vulnerability information with this computer system; 

a vulnerability modification information storing unit 
for storing the information on whether or not a system 
manager has applied modification work based on this 
vulnerability information; 

a security level computing unit for computing, 
regarding a specific equipment, a security level regarding 
the vulnerability of said equipment from a type of this 
equipment, the threat level value of the vulnerability 
that has not been modified with regarding this equipment, 
and the number or days while the vulnerability has been 
left without any modification taken; and 



a security level information generating unit for 
generating and output security level information based on 
the security level value obtained in said computing unit. 

7. The system according to Claim 6, said system 
further comprising, 

a security level value comparing unit to compute a 
security level value of said equipment by comparing 
security level values of vulnerabilities when there are a 
plurality of vulnerabilities associated with said 
equipment, which have not been modified, and setting a 
security level value with the highest threat level among 
the security level values of said vulnerabilities as the 
security level value of said equipment, and wherein 

said security level information generating unit 
generates security level information based on said 
security level value of said equipment computed by the 
security level value comparing unit. 

8. The system according to Claim 7, wherein 

said security level value comparing unit computes a 
security value of a network by comparing security level 
values of equipments when a plurality of equipments are 
connected to said network, and setting a security level 
value with the highest level of threat among the security 
level values of said equipments as the security value 
level of said network; and 



said security level information generating unit 
outputs security level information based on the security 
level value of said network computed by the security level 
value comparing unit . 
5 9. The system according to Claim 6, wherein 

said security level information generating unit 
outputs security information based on both security value 
obtained in said security level computing unit and basic 
P security information computed based on a basic 

4i 10 configuration, etc. of an equipment or a network. 

Jr'i 10. The system according to Claim 6, wherein 

V~ said security level information generating unit 

% h expresses said security level value in comparison with a 

security reference value of a relevant system or the 
\l 15 network to which this system is connected. 
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